Fix #412, resolve error in CodeQL Analyze Action

Fixes errors in CodeQL results uploads step. Update parameters in CodeQL "reusable" workflow. BREAKING Interface changes: - Renames callable workflow to `codeql-reusable.yml`, submodules will have to be updated - Adds required `component-path` input parameter - Repurpose tests input to be a boolean tied to "ENABLE_UNIT_TESTS" flag Internal changes: - Use git clone instead of checkout@v2 for the cFS-Bundle - Use symlink to map calling repo workspace to expected cFS Bundle directory location - Enable "code snippets" option to CodeQL Analyze action - Archives sarif files from analysis output - Removes code duplication by using a matrix build for security and coding standard analyses - Alphabetizes workflow inputs and order based on "required" flag
nasa · Feb 3, 2022 · 98e2ef8 · 98e2ef8
1 parent 1d80995
commit 98e2ef8
Show file tree

Hide file tree

Showing 2 changed files with 98 additions and 83 deletions.
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -1,10 +1,22 @@
-name: Reuse CodeQl Analysis
+name: "CodeQL Analysis: cFS-Bundle"
 
 on:
   push:
+    paths-ignore: 
+    - '**/*.md'
+    - '**/*.txt'
+    - '**/*.dox'
+
   pull_request:
+    paths-ignore: 
+    - '**/*.md'
+    - '**/*.txt'
+    - '**/*.dox'
 
 jobs:
   codeql:
-    name: CodeQL Analysis
-    uses: nasa/cFS/.github/workflows/codeql-build.yml@main
+    uses: nasa/cFS/.github/workflows/codeql-reusable.yml@main
+    with: 
+      component-path: cFS
+      make: make -j8
+      test: true
diff --git a/.github/workflows/codeql-reusable.yml b/.github/workflows/codeql-reusable.yml
@@ -1,30 +1,51 @@
-name: "CodeQL Analysis"
+name: "CodeQL Reusable Workflow"
 
 on:
   workflow_call:
     inputs:
-      setup:
-        description: 'Build Prep'
+      # REQUIRED Inputs
+      component-path:
+        description: 'Path to repo being tested in a cFS bundle setup'
         type: string
-        default: 'cp ./cfe/cmake/Makefile.sample Makefile && cp -r ./cfe/cmake/sample_defs sample_defs'
-      make-prep:
-        description: 'Make Prep'
+        required: true
+        default: cFS
+
+      # Optional inputs
+      category:
+        description: 'Analysis Category'
+        required: false
         type: string
-        default: ''
+
       make:
-        description: 'Make Copy'
+        description: 'Build Command'
+        default: '' #Typically `make` or `make install`. Default is blank for workflows that don't need to build source
+        required: false
         type: string
-        default: 'make'      
-      tests: 
-        description: 'Tests'
+
+      prep:
+        description: 'Make Prep'
+        default: make prep
+        required: false
+        type: string
+
+      setup:
+        description: 'Build Prep Commands'
+        type: string
+        default: cp ./cfe/cmake/Makefile.sample Makefile && cp -r ./cfe/cmake/sample_defs sample_defs
+        required: false
+
+      test: 
+        description: 'Value for ENABLE_UNIT_TESTS flag'
         type: string
-        default: ''  
+        default: false 
+        required: false
 
 env:
   SIMULATION: native
-  ENABLE_UNIT_TESTS: true
+  ENABLE_UNIT_TESTS: ${{inputs.test}}
   OMIT_DEPRECATED: true
   BUILDTYPE: release
+  REPO: ${{github.event.repository.name}}
 
 jobs:
   #Checks for duplicate actions. Skips push actions if there is a matching or duplicate pull-request action. 
@@ -40,91 +61,73 @@ jobs:
           concurrent_skipping: 'same_content'
           skip_after_successful_duplicate: 'true'
           do_not_skip: '["pull_request", "workflow_dispatch", "schedule"]'
-          
-  CodeQL-Security-Build:
+
+  Analysis:
     #Continue if check-for-duplicates found no duplicates. Always runs for pull-requests.
     needs: check-for-duplicates
     if: ${{ needs.check-for-duplicates.outputs.should_skip != 'true' }}
     runs-on: ubuntu-18.04
     timeout-minutes: 15
 
-    steps:
-      # Checks out a copy of your repository
-      - name: Checkout code
-        uses: actions/checkout@v2
-        with:
-          repository: nasa/cFS
-          submodules: true
+    strategy:
+      fail-fast: false
+      matrix:
+        scan-type: [security, coding-standard]
+
+    permissions:
+      security-events: write
 
-      - name: Check versions
+    steps:
+      # Setup Bundle directory
+      - name: Setup cFS-Bundle directory (component-path = cFS)
+        if: inputs.component-path == 'cFS'
+        run:
+          echo "BUILD_DIRECTORY=${{github.workspace}}" >> $GITHUB_ENV
+
+      - name: Setup cFS-Bundle directory (component-path != cFS)
+        if: inputs.component-path != 'cFS'
         run: |
-           git log -1 --pretty=oneline
-           git submodule
-           
-      - name: Initialize CodeQL
-        uses: github/codeql-action/init@v1
-        with:
-          languages: c
-          config-file: nasa/cFS/.github/codeql/codeql-security.yml@main
-
-      - name: Copy sample_defs
-        run: ${{ inputs.setup }}
+          cd ..
+          git clone https://github.com/nasa/cFS.git --recurse-submodules
+          cd cFS
+          echo "BUILD_DIRECTORY=$(pwd)" >> $GITHUB_ENV
+          git log -1 --pretty=oneline
+          git submodule 
+          rm -r .git
+          rm -r ${{ inputs.component-path }} 
+          ln -s ${{github.workspace}} ${{ inputs.component-path }} 
 
-      - name: Make prep
-        run: ${{ inputs.make-prep }}
       
-      - name: Make Install
-        run: ${{ inputs.make }}
-
-      - name: Run tests
-        run: ${{ inputs.tests }}
-
-      - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v1
-
-  CodeQL-Coding-Standard-Build:
-    #Continue if check-for-duplicates found no duplicates. Always runs for pull-requests.
-    needs: check-for-duplicates
-    if: ${{ needs.check-for-duplicates.outputs.should_skip != 'true' }}
-    runs-on: ubuntu-18.04
-    timeout-minutes: 15
-
-    steps:
-      # Checks out a copy of your repository
-      - name: Checkout code
+      - name: Checkout ${{ github.repository }}
         uses: actions/checkout@v2
-        with:
-          repository: nasa/cFS
-          submodules: true
+        with: 
+           submodules: recursive
 
-      - name: Check versions
-        run: |
-           git log -1 --pretty=oneline
-           git submodule
-      - name: Checkout codeql code      
-        uses: actions/checkout@v2
-        with:
-          repository: github/codeql 
-          submodules: true 
-          path: codeql
+        # Setup the build system
+      - name: cFS Build Setup    
+        run: | 
+          ${{ inputs.setup }}
+          ${{ inputs.prep }}
+        working-directory: ${{env.BUILD_DIRECTORY}}
 
       - name: Initialize CodeQL
         uses: github/codeql-action/init@v1
         with:
           languages: c
-          config-file: nasa/cFS/.github/codeql/codeql-coding-standard.yml@main
-
-      - name: Copy sample_defs
-        run: ${{ inputs.setup }}
-
-      - name: Make prep
-        run: ${{ inputs.make-prep }}
+          config-file: nasa/cFS/.github/codeql/codeql-${{matrix.scan-type}}.yml@main
 
-      - name: Make Install
+      - name: Build
         run: ${{ inputs.make }}
-
-      - name: Run tests
-        run: ${{ inputs.tests }}
+        working-directory: ${{env.BUILD_DIRECTORY}}
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v1
+        uses: github/codeql-action/analyze@v1
+        with:
+          add-snippets: true
+          category: ${{matrix.scan-type}}
+
+      - name: Archive Sarif
+        uses: actions/upload-artifact@v2
+        with:
+          name: CodeQL-Sarif-${{ matrix.scan-type }}
+          path: /home/runner/work/${{env.REPO}}/results/cpp.sarif